0x0000 



a great fool in my life i have been 

i have squandered 'til pallid and thin 

hung my head in shame 

and refused to take blame 

for the darkness i know i've let win 

j knapp 
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0x0001 Who am I 



Scattered past in computing 
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Insecurity Researcher 

Captain l@stplace 

Father/Husband 

Curious fellow (sleepless too) 



0x0100 Programmatic Debugging 



Debugging other processes^ ram your 

Crny'j favorite language J:ij ' l ' : ' lJ '' l ' l ''' l ' ! ' :!l '>' li! ''' l '^^t' 

Accessing and Influencing CPU and 
Memory state of a process in a 
programmatic fashion 

- Logic and other language constructs 



0x0101 Explosion 

I Seyeigl key programp^tiG debuggers 



- PyDBG - Pedram (part of Pai Mei) 

- Immunity Debugger - Immunity Sec 

- Vtrace - Invisigoth (Vivisect) 

- NoxDbg - LinOxx (first Ruby debugger) 



(This talk will focus on Vtrace) 



0x0102 What can we do? 



Live Patching? Fun with Hex 
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- LivePatch 

Live Dumping? 

- LiveOrganTransplant 

Process Grep? 

- Visi's memgrep 

Va m py re J a ck S S H D 

- In progress by drb and myself 



0x0103 What can we do? 



everything else that GDB or Oily can do, 

only better | » midMmMMMM 

interactive python debugger 

- especially nice with searchMemoryQ and 
tracemeQ 

- automate frame interpretation 

what do you want to do? 



0x0200 Vulnerabilities 



what can we do to encourage yulns to 
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suddenlyappear? 

- fuzzing on its own is so ghetto! 

rather, what can we watch/do to catch 
indications of vulnerability? 



0x0300 Buffer Overflows? 



IIIIIH Breakpoints il^^^lyg.g^p^ns 
at break: 

- Stack-Analysis for Parameters 

- Buffer-Analysis for Size 

more empirical than static analysis 



0x0301 vtrace attach 



from vtrace import * iill;!^ 

me = getTrace ( ) 

me . attach (<pid>) 

me . addBreakpoint (MemcpyBreaker (me) ) 

me . setMode ( "RunForever" , True) 

me . run ( ) 



0x0302 memcpy ( ) 



mpmccpy()/mempcpy()/memmove() 
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- check length of dest (%ESP + 0x4) 

• HEAP (dlmalloc), check length field immediately 
before the pointer to the dest 

- heapptr -4 

- not always accurate.... copying partial chunks 

• Stack, check distance to RET 

- (%ebp + 4) - dest 

• oh, ifvoply that simple... 

- compare with Copy Size (%ESP + Oxc) 



0x0303 MemcpyBreaker 






ifeiSS§|; MemcpyBreaker (BreakpointPublisher';),^; 

!l|^Ci^^!i^:|;;|;;nL n i t-^ ;;;:; '( self) : 



def notify (self, event, trace): 
eip=trace . getProgramCounter ( ) 
esp=trace . getRegisterByName ( ' esp f ) 
ebp=trace . getRegisterByName ( ' ebp ' ) 

copylen=trace . readMemoryFormat ( (esp + Oxc) , AddrFmt) [0] 
retptr =trace . readMemoryFormat ( (esp + 0x0 ), AddrFmt) [0] 
dest =trace . readMemoryFormat ( (esp + 0x4) , AddrFmt) [0] 
src =trace . readMemoryFormat ( (esp + 0x8) , AddrFmt) [0] 
destlen = getBuf f erLen (dest) 
if (copylen >= destlen) : 

self .publish (BOFException (...)) 



0x8) , AddrFmt) [0] 



0x0400 EBP-FREE SUBS? 



some subs don't s|prt i ,n^^ i; ;^^ l k l , 1 frames 
using %ebp 

- Windows Libraries 

trouble measuring stack buffer length 



0x0401 EBP-FREE SUBS? 



some disassembly required... 



possible solutions: 

- Initial ESP Offset for Stack Allocation 

- Sub Epilog Analysis 

• ret $0x34 | 

• add $0x34, %esp 

- Sub Tracing for %esp Mods 

• 'til ret do us part 

• or jmp US 

- OR.... Stack Backtrace for RET 



0x0402 Stack Backtracing 



- start at %ESP ^^^^^^^ 

- loop up the stack by 4 bytes 

• if the current 32-bit number is valid address (maps) 

- look for a "call" opcode immediately before the address 

• if so, is the target address valid? 

• is it a call to memcpy or a call to a jmp to memcpy 
•fiOn Linux, does it target PIT? 

- Once found, that location on the stack 
becomes RET 

- Subtract the stack variable from the newly 
discovered RET location to find the length 



0x0403 findRETO 



r, AddrFmt) [0] 



def findRET (trace, stackptr = 0) : 
i ;,, iiSfiat l|; i':(S: |: i ,: f rue 
stackptr = trace . getRegisterByName ( ' esp \0 
while cont : 

stackptr -= 4 

address = trace . readMemoryFormat (stackpt 
mymap = trace . getMap (address) ) 
if mymap != None: # valid address? 
buf = trace . readMemory (address-8 , 8) 
for x in range (1,7) : 



op = Opcode (buf [x :] ) 

if (op. off == 8-x and op.opcode[0] == f c f ) : 
target c=^;se If . getOperandValue (op . dest) 
if tra^S . getMap (target) != None: 

# Possibly Check the Target of the call 

# ^?=J>ostly and not entirely accurate 
return address 



(check the latest atlasutils for a much improved version) 



0x0404 findNextHeapO 



def f indNextHeap (me, address) : 
l : ii<SMa;i:nji ;i ;# ; j; qetConnectedChain (me) 
for x in xrange (1, len (chain) ) :;: 

if chain [x] > address and chain [x-1] 
return chain [x] 



:= address 



0x0405 getConnectedChain () 



l»|ff H E A P m e m o ry pi a 111111^ 



• Searches for the first HEAP chunk 

• Traverses the forward pointers 

- Keeps track and returns them as a list 

• Works on Linux, not tried on Windows yet 

• Look for it in the next release of atlasutils 



0x0500 strcpy ( ) /strncpy ( ) 



itepy - compare length o|squrre and 
destination 

- dest pointer can be found at (%ESP + 0x4) 

- source pointer can be found at (%ESP + 0x8) 



0x0501 strcpy ( ) /strncpy ( ) 



strncpy - compare length , ; of .copy (size t) 
to destination 

- dest pointer can be found at (%ESP + 0x4) 

- size t can be found at (%ESP + Oxc) 



0x0502 strcat ( ) /strncat ( ) 



similar to st re PV/slsM^^^W, 



copies source and destination together 

difficult for coders to get right! (ie. often 
exploitable) 

best to look into logic surrounding strcat() 
limiting the size of both buffers 



0x0600 



- vfprinf covers printf and fprintf in Linux 

what's on the stack fb l F'Mrn^ l it' :l: st : f l i , ng? 

• %ESP + 0x8 

- does it live in a likely spot? 

• Heap? Stack? .rodata? 

- parse format string 

• are there "%" characters in it? 



0x0601 sprint f() 



- vsprintf covers sprintf in Linux 

what's on the stack for Torifiat: string? 

• %ESP + 0x8 

- does it live in a likely spot? 

• Heap? Stack? .rodata? 

- parse format string 

• are there "%" characters in it? 

• how long |Ea string can we create? 



0x0602 snprintf() 



- vsnprintf covers snprintf in Linux 

what's on the stack for Toririat string? 

•%ESP + 0x8 

- does it live in a likely spot? 

• Heap? Stack? .rodata? 

- parse format string 

• are there "%" characters in it? 

• how longilp the format string allow? 

• how long can we write? (%ESP + Oxc) 



0x0700 scanf/sscanf/fscanf 



parse format string 



- scanf's is located at %ESP+0x4 

- sscanf's and fscanf's are at %ESP + 0x8 

are there any "%s"? 

if so, where are we storing them? 

- must check each string 

• %45s against a buffer with 32 bytes 



0x0800 gets () /fgets () 




Just alert. Period. 



0x0801 getc()/fgetc() 



Igpp for getc 

how big is the loop? 

simpler just to identify in disassembly and 
write up... analysis for which loop 
mechanism is used is more complex than 
just eye-balling it. 



0x0900 memchr ( ) /memrchr ( ) 



check size t against length of string as in 

iilJI:,,!, 1 ;! 1 ;^ 1 :^!:' 1 ll: l ^'- 1 '^ ■ ^ !■■'. irn I ■!! 

memcpy 

may be used to look past a buffer as a 
potential target or source of data 



OxOaOO rep stos/rep movs 



S p G C 1 3 1 C 9 Se . ji |\p|f |p!ppp;p:pp|l 

need to disassemble code to hook these 

- Set breakpoint one instruction before 

- stepi() to reach start of opcode 

- Check %ECX against buffer length 



OxObOO Format Strings 



used with printf/s||||piilii 



%c = 1 byte^ 

%* = * bytes (depends on the size) 
%#d = at least # bytes, possibly more! 
See man page for scanf or printf for more 



OxOcOO Are there more? 



pu tell me! 

programmatic debugging is fresh turf for 
new ideas. 

"The force runs strong in your family... 
Pass on what you have learned..." 



OxOdOO choops 




hola y gracias amigos 
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- Dios 

- jewel 

- bug 

- ringwraith g 

- menace 

- l@stplaceig 

- invisigoth and K 



